Healthcare , HIPAA/HITECH , Industry Specific

HHS Beefs Up Privacy Protection for Reproductive Health Info

Finalizes HIPAA Privacy Rule Changes Involving PHI Related to Reproductive Care
HHS Beefs Up Privacy Protection for Reproductive Health Info
Image: HHS

Doctors, clinics and other providers are prohibited from disclosing protected health information related to lawful reproductive healthcare, according to a final rule released Monday by federal regulators to "strengthen" HIPAA privacy. The rule is designed to protect women who cross state lines seeking an abortion and their providers.

See Also: How Enterprise Browsers Enhance Security and Efficiency

The regulations aim "to bolster patient-provider confidentiality and help promote trust and open communication between individuals and their healthcare providers or health plans, which is essential for high-quality healthcare," the Department of Health and Human Services said in a statement Monday.

The Supreme Court decision in Dobbs v. Jackson Women’s Health Organization in 2022 that overturned the nationwide right to abortion "altered the legal and healthcare landscape, increasing the likelihood that an individual's PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect, including the trust of individuals in healthcare providers and the healthcare system," HHS said. Fourteen states have put strict abortion bans in place since the Dobbs ruling, prompting fears that women and healthcare providers could be held liable for abortions performed in other states.

"Many Americans are scared their private medical information will be shared, misused and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health," said HHS Secretary Xavier Becerra in the statement.

The final rule provides "stronger protections to people seeking lawful reproductive healthcare regardless of whether the care is in their home state or if they must cross state lines to get it," he said.

The new 291-page regulations, which become effective 60 days upon its publication this week in the Federal Register, provide several key provisions, including:

  • Prohibiting the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide or facilitate reproductive healthcare that is lawful under the circumstances in which such healthcare is provided;
  • Requiring a regulated healthcare provider, health plan, clearinghouse or their business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive healthcare are not for purposes prohibited under the rule;
  • Requiring regulated covered entities, including healthcare providers, health plans and clearinghouses to modify their notice of privacy practices to support reproductive healthcare privacy.

HHS said the final rule takes into account the more than 30,000 public comments received on its proposed rule, which was issued a year ago (see: HHS Wants HIPAA Changes to Protect Reproductive Health Info).

Regulatory attorney Paul Hales of the Hales Law Group said that despite its title, the rule actually contains two other significant Privacy Rule modifications. One modifies the notice of privacy practices. The second coordinates 42 CFR Part 2 substance use confidentiality with HIPAA.*

"OCR was forced to combine them in this final rule because it can only modify a standard or implementation specification for HIPAA once every 12 months," he said.

Some other legal experts said their first impression of the final rule is that HHS appears to have exercised some restraint in making reproductive health information related changes.

"They targeted a narrower range of issues than they possibly could have but that they focused on specific issues and did a really good job of addressing those particular issues," said privacy attorney Kirk Nahra of the law firm WilmerHale.

"They also chose not to address some broader issues that I think would have had broader negative implications on the broader healthcare ecosystem, so I think it made sense that they did not get into those topics."

For example, HHS did not in either its proposed rule of final rule address a major change to the consent rules for reproductive rights information, Nahra said. "That would have disrupted too much of the broader healthcare ecosystem that the HIPAA rules are designed to facilitate."

Nonetheless, he said, some of the provisions of the final rule will likely require HIPAA-regulated entities to do some heavy lifting.

The rule's provision requiring healthcare providers, health plans and clearinghouses to modify their privacy practice notices to reflect the changes is an example, Nahra said.

"Revising every privacy notice is much more difficult than OCR seems to recognize. It’s a major obligation, not simply a bureaucratic obligation," Nahra said.

"Substance use providers must create and furnish patients with notices of privacy practices and adopt new policies to comply with Part 2 confidentiality modifications," Hales said.

Some reproductive health advocacy groups were quick to support the final rule.

"Too many people continue to fear being reported to law enforcement for their reproductive healthcare decisions and pregnancy outcomes. This final rule decreases the chances of healthcare providers reporting patients to law enforcement, protects people who are forced to travel to receive care, and promotes deeper trust between patients and providers," said Jocelyn Frye, president of the National Partnership for Women & Families, in a statement.

"Providers should never be forced to police and report on the patients who entrust them with their care," she said.

*Update April 23, 20243 UTC 14:15: Updated to reflect that CFR Part 2 privacy modifications included in the final rule.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.